If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

It will cover new signature syntax included in ClamAV .80rc 1,2, and 3. New features include extended wildcards, MD5 signatures, and an extended signature format. Stable versions of .80 are not released at the time of this tutorial, so this serves as a preview and may not be identical to the signature syntax at the time of its release.

The Clam Antivirus Project (http://www.clamav.net/http://clamav.sourceforge.net) is an open source virus scanner available for free. Clam allows its users to create their own virus signatures, which is helpful if you discover a piece of malware that is not currently detected by Clam. This tutorial will show you how to create an advanced signature file that can be used by any virus scanner based on the ClamAV .80 engine, with methods to detect minimal polymorphism. Necessary files to complete this tutorial are attached.

Attached (none of which are actually virii):
polymorphicworm.A.1.exe
polymorphicworm.A.2.exe
polymorphicworm.A.3.exe

New wildcards will be included in new versions of ClamAV. These include ?, {n}, {-n}, {n-}, and (a|b).

Wildcard- ?
We will be using the polymorphicworm.A series for this section (A series). The A series is a mass mailing worm, using a randomly generated subject line that is changed in each sent binary(i.e. g3t s8m5 v7ag28 , get some viagra). We will create a signature that will target all 3 in the A series.The ? mark is simple, it is like a regular wildcard that you will find anywhere else. Run the A series through strings, and you will see a similarity in the subject line. "g3t s8m5 v7ag28", "g6t s2m7 v8ag65", "g9t s7m3 v6ag18" are all very similar. Only parts of them are polymorphic, not the whole subject line. We will be able to a create a signature that replaces the numbers with the "?" wildcard.
The hex string is:
67 33 74 20 73 38 6D 35 20 76 37 61 67 32 38
When we apply the "?" wildcard for that string, it is:
67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61 67 ?? ??

Add some binary before and after to prevent false positives, remove spaces and format:
Hoax.Series.A (Soda)=C30000000000000067??742073??6D??2076??6167????005589E583EC3453

This can get a bit buggy when you use a lot of wildcards. When in doubt, add more binary to the sig.

Wildcard- {n}

We will be using the polymorphicworm.B series for this section (B series). The B series has polymorphic code, but the 2 polymorphic hex strings always maintain a certain length between eachother. We will create a signature that will target all 3 in the B series.

Run through the series in strings, you will see "polymorphiccodex" twice in each virus. Notice that the second string is 18 bytes away from the first in each instance. Here is the signature:
Hoax.Series.B (Soda)=E583EC0883C4F46A02A120724100FFD0E879FFFFFFC9C300000000000000706F6C796D6F7270686963636F6465??{18}706F6C796D6F7270686963636F6465??0089F65589E583EC5453E8

The first hex string starts with binary, ends with hex for "polymorphiccode" and ?? for the random number. {18} means the next string will appear 18 bytes away from the first. The second string begins with "polymorphiccode, ?? for the random number, and binary to avoid a false positive.

You can also use {-n}, which means the next string will appear less than n bytes away, or {n-}, which is more than n bytes away.

Wildcard- (a|b)

We will be using the polymorphicworm.C series for this section (C series). The C series has polymorphic code, but the polymorphic hex string only changes a certain character. We will create a signature that will target all 3 in the C series. This wildcard allows us to specify specific values to look for, instead of all values, like the ? wildcard. Run the C series through strings. You will see "Hello Rod", "Hello Tod", and "Hello Nod". Instead of using a "?" wildcard, we can specify the values we want to detect. The only difference in the string is the beginning of the name. Our signature will look like this: